From growing cyber risk to geopolitical instability, law firms rethink resilience

A complex and fast-changing risk landscape

Cyber risk is the top threat to achieving business ambitions in the next 1-2 years, cited by 90% of the Top 100 law firms in PwC’s 2024 Law Firms’ Survey. Geopolitical instability is also a fast-growing area of concern, up by six percentage points on last year. And despite an improvement in the UK economic outlook, macroeconomic volatility remains a significant threat to growth, particularly for larger international firms.

Almost half (46%) of the Top 100 law firms also say keeping pace with the speed of technological change is a key concern. Firms are trying to balance understanding and mitigating the new risks that emerging technologies such as generative AI (GenAI) bring with the productivity improvements and commercial opportunity their use offers. All of this underlines the criticality of broader tech resilience across the people, operations and extended supply chain of law firms.

Cyber security investment increases as threats grow

The return of cyber risk to the top of law firm concerns in this year’s survey is fuelled by rapid technological change, as well as the growing volume of connected devices, hybrid working and the increasing sophistication of threat actors. The highly sensitive and valuable nature of the client data that law firms possess also means firms are heightened targets for both cyber criminals and nation states. Ransomware attacks in particular remain an evolving and dangerous cyber threat for law firms, with attackers now threatening to leak sensitive data in addition to encrypting IT systems.

Given this elevated cyber risk, the Top 50 law firms are increasing cyber security spend - notably up by 42.6% in the Top 11-25 banding. However, a 7.5% reduction in cyber security spend among the Top 51-100 could leave those mid-tier firms exposed to potential reputational damage, financial loss, and legal repercussions if client confidentiality is compromised through a cyber attack.

An increasingly important area of focus for cyber and broader risk for law firms is supply chains. Almost half (46%) of the Top 50 firms reported at least one supply chain attack in the last year, with 80% of those reporting more than one occurrence. Given the increased prevalence of attacks on suppliers and the sensitive data they handle, law firms need to be especially vigilant in managing their third party relationships.

Preparedness is also key to building greater cyber resilience. Yet a third of Top 100 firms have not had senior management participate in a crisis management exercise in the last 12 months. Even for those firms that have conducted exercises, they are often not realistic enough to prepare leadership for the critical decisions that need to be made under extreme pressure. To build that vital crisis muscle memory, simulation exercises should cover everything from speed of detection and escalation to internal communications friction and the order that IT systems need to be brought back online.

Phishing attacks and employee errors remain the most frequent causes of security incidents with 100% of Top 10 firms experiencing data breaches or system outages unintentionally caused by employees and/or through successful phishing attacks. This reinforces the importance of incorporating 'human cyber risk' and cyber hygiene awareness into the cyber strategy of law firms.

Cyber risk also needs to be addressed by managing partners and risk committees, ensuring that appropriate cyber governance is understood and the technology leaders within the firm are being effectively challenged on cyber risk. More forward-thinking law firms are also moving away from traditional security maturity scoring models to a broader risk-based approach that looks at which areas have the biggest impact and cost, and taking a financial quantified approach.

Growing geopolitical instability causes global footprint rethink

A heightened state of cyber alert is often also linked to global events, and concerns over geopolitical instability have increased this year, with 54% of the Top 100 law firms extremely or somewhat concerned - up from 48% last year.

This geopolitical uncertainty looks unlikely to abate any time soon, with Middle East volatility escalating, the ongoing Russia/Ukraine conflict exacerbating regional tensions in Eastern Europe, rising populism creating unrest in Western Europe, and US/China rivalry continuing.

Geopolitics can result in significant impact on the global offices of international law firms through data, confidentiality and compliance concerns, hitting fee income and profits in some geographies. As a result, many UK and US law firms either have or are putting in place more mature risk management governance models, such as three lines of defence and risk/client committees, and are constantly evaluating their international footprint from a risk/return perspective.

Managing client and financial crime risk

Money laundering and fraud and other illegal activities remain another major area of risk exposure for law firms, particularly with the Solicitors’ Regulation Authority (SRA) taking a more proactive approach to anti-money laundering regulations and managing financial crime risk.

Staying ahead of these risks requires more sophisticated frameworks for governing and managing risk. But many law firms are still relatively immature and inefficient compared to other large consulting and professional services firms in their Know Your Customer (KYC) due diligence processes and sanctions checks. There are opportunities for firms to automate and use better technology, and deploy outsourced managed services to improve performance in these areas.

Building the resilience to adapt and protect

The wide ranging and sometimes unpredictable nature of these complex risks and the ecosystems they impact demands that law firms take a more strategic approach to building resilience. Cyber security in particular can’t be viewed in isolation and it is key that cyber risk is considered more broadly as a part of an overarching IT resilience programme.

Bringing together the right technology, data and skills to create stronger governance and risk management frameworks enables law firms to develop the panoramic vision needed to better understand and predict risk, and see the interconnections, dependencies and potential impacts more clearly.

Resilience is also more than just crisis exercises and business continuity planning - important as they are. It needs an open and challenging culture, with diversity of thought and where people can speak their minds.

By building stronger risk management capabilities, thinking about broader resilience across the technology infrastructure and supply chain and investing more in cyber preparedness, law firms can adapt and respond more effectively to whatever disruption and challenges lie ahead, protecting their reputation and client data with confidence.